UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 2008 Member Server Security Technical Implementation Guide


Overview

Date Finding Count (192)
2015-06-25 CAT I (High): 18 CAT II (Med): 135 CAT III (Low): 39
STIG Description
The Windows 2008 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from DoD consensus, as well as the Windows 2008 Security Guide and security templates published by Microsoft Corporation. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-1073 High Systems must be at supported service packs (SP) or releases levels.
V-34974 High The Windows Installer Always install with elevated privileges must be disabled.
V-39137 High The Enhanced Mitigation Experience Toolkit (EMET) v5.x or later must be installed on the system.
V-18010 High Unapproved Users have access to Debug programs.
V-6834 High Named Pipes and Shares can be accessed anonymously.
V-1159 High The Recovery Console option is set to permit automatic logon to the system.
V-1153 High The Send download LanMan compatible password option is not set to Send NTLMv2 response only\refuse LM.
V-2374 High The system is configured to autoplay removable media.
V-1093 High Anonymous shares are not restricted.
V-3338 High Unauthorized named pipes are accessible with anonymous credentials.
V-3339 High Unauthorized registry paths are remotely accessible.
V-3343 High Solicited Remote Assistance is allowed.
V-3340 High Unauthorized shares can be accessed anonymously.
V-3344 High The use of local accounts with blank passwords is not restricted to console logons only.
V-4443 High Unauthorized registry paths and sub-paths are remotely accessible.
V-1102 High Unauthorized users are granted right to Act as part of the operating system.
V-17900 High Disallow AutoPlay/Autorun from Autorun.inf
V-3379 High The system is configured to store the LAN Manager hash of the password in the SAM.
V-14256 Medium Web Publishing and online ordering wizards prevented from downloading list of providers.
V-26486 Medium The Deny log on through Terminal Services user right on member servers must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
V-3383 Medium The system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.
V-3381 Medium The system is not configured to recommended LDAP client signing requirements.
V-1171 Medium Ejection of removable NTFS media is not restricted to Administrators.
V-3469 Medium The system is configured to prevent background refresh of Group Policy.
V-15721 Medium Windows Mail – Disable Application
V-15722 Medium Media DRM – Internet Access
V-16000 Medium Terminal Services – Smart Card Device Redirection Enabled (Terminal Server Role).
V-56511 Medium The Windows Error Reporting Service must be running and configured to start automatically.
V-16008 Medium UAC - Application Elevations
V-1164 Medium Outgoing secure channel traffic is not signed when possible.
V-1166 Medium The Windows SMB client is not enabled to perform SMB packet signing when possible.
V-3378 Medium The system is not configured to use the Classic security model.
V-1163 Medium Outgoing secure channel traffic is not encrypted when possible.
V-1162 Medium The Windows SMB server is not enabled to perform SMB packet signing when possible.
V-3470 Medium The system is configured to allow unsolicited remote assistance offers.
V-3385 Medium The system must be configured to require case insensitivity for non-Windows subsystems.
V-1089 Medium The required legal notice must be configured to display before console logon.
V-3479 Medium The system is not configured to use Safe DLL Search Mode.
V-36705 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
V-1080 Medium File-auditing configuration does not meet minimum requirements.
V-36701 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
V-36702 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
V-36703 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
V-36704 Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
V-14242 Medium User Account Control - Non UAC Compliant Application Virtualization
V-6850 Medium Auditing records must be configured as required.
V-36706 Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
V-15697 Medium Network – Responder Driver
V-15696 Medium Network – Mapper I/O Driver
V-6836 Medium For systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
V-6832 Medium The Windows Server SMB client is not enabled to always perform SMB packet signing.
V-6833 Medium The Windows Server SMB server is not enabled to always perform SMB packet signing.
V-6831 Medium Outgoing secure channel traffic is not encrypted or signed.
V-14262 Medium IPv6 must be disabled until a deliberate transition strategy has been implemented. Use of IPv6 transition technologies must be disabled.
V-14261 Medium Windows is prevented from using Windows Update to search for drivers.
V-14260 Medium Computer prevented from downloading print driver packages over HTTP.
V-1154 Medium Ctrl+Alt+Del security attention sequence is Disabled.
V-1155 Medium The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
V-1157 Medium The Smart Card removal option is set to take no action.
V-1099 Medium Lockout duration does not meet minimum requirements.
V-1098 Medium Time before bad-logon counter is reset does not meet minimum requirements.
V-2372 Medium Reversible password encryption is not disabled.
V-1097 Medium Number of allowed bad-logon attempts does not meet minimum requirements.
V-3382 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.
V-3372 Medium The system can be removed from the docking station without logging on first.
V-15991 Medium UAC - Allow UIAccess applications to prompt for elevation without using the secure desktop
V-3376 Medium The system is configured to permit storage of credentials or .NET Passports.
V-15997 Medium Terminal Services – Prevent COM Port Redirection (Terminal Server Role).
V-3374 Medium The system is not configured to require a strong session key.
V-36439 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-15998 Medium Terminal Services – Prevent LPT Port Redirection (Terminal Server Role).
V-15999 Medium Terminal Services – Prevent Plug and Play Device Redirection (Terminal Server Role).
V-15682 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-15683 Medium Windows Explorer – Shell Protocol Protected Mode
V-1145 Medium Automatic logons must be disabled.
V-1141 Medium Unencrypted password is sent to 3rd party SMB Server.
V-15685 Medium Windows Installer – User Control
V-57473 Medium The maximum number of error reports to queue on a system must be configured to 50 or greater.
V-57471 Medium The system must be configured to add all error reports to the queue.
V-57477 Medium The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site.
V-57475 Medium The system must be configured to attempt to forward queued error reports once a day.
V-57479 Medium The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting.
V-3458 Medium Terminal Services idle session time limit does not meet the requirement (Terminal Server Role).
V-3457 Medium Terminal Services is not configured to set a time limit for disconnected sessions (Terminal Server Role).
V-3456 Medium Terminal Services is not configured to delete temporary folders (Terminal Server Role).
V-3455 Medium Terminal Services is configured to use a common temporary folder for all sessions (Terminal Server Role).
V-3454 Medium Terminal Services is not configured with the client connection encryption set to the required level.
V-1130 Medium ACLs for system files and directories do not conform to minimum requirements.
V-26483 Medium The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-15679 Medium Windows Movie Maker Online Hosting
V-15678 Medium Windows Movie Maker Web Links
V-15677 Medium Windows Movie Maker Codec Downloads
V-15674 Medium Disable Internet File Association Service
V-14241 Medium User Account Control - Switch to secure desktop
V-14240 Medium User Account Control - Run all admins in Admin Approval Mode
V-14243 Medium Require username and password to elevate a running application.
V-57463 Medium The system must be configured to archive error reports.
V-57465 Medium The system must be configured to store all data in the error report archive.
V-14247 Medium Terminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop Client
V-57467 Medium The maximum number of error reports to archive on a system must be configured to 100 or greater.
V-14249 Medium Terminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers (Terminal Server Role).
V-57469 Medium The system must be configured to queue error reports until a local or DOD-wide collector is available.
V-3377 Medium The system is configured to give anonymous users Everyone rights.
V-1115 Medium The built-in administrator account has not been renamed.
V-3480 Medium Media Player must be configured to prevent automatic checking for updates.
V-15699 Medium Network – Windows Connect Now Wizards
V-15666 Medium Windows Peer to Peer Networking
V-15667 Medium Prohibit Network Bridge in Windows
V-15698 Medium Network – Windows Connect Now Wireless Configuration
V-1114 Medium The built-in guest account has not been renamed.
V-14258 Medium Search Companion prevented from automatically downloading content updates.
V-14259 Medium Prevent printing over HTTP.
V-57455 Medium The system must be configured to prevent the display of error messages to the user.
V-14257 Medium Windows Messenger prevented from collecting anonymous information.
V-14254 Medium Client computers required to authenticate for RPC communication.
V-14255 Medium File and Folder Publish to Web option unavailable.
V-14253 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-15684 Medium Windows Installer – IE Security Prompt
V-32274 Medium The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed.
V-32272 Medium The DoD Root Certificate must be installed.
V-15823 Medium Remove Software Certificate Installation Files
V-3349 Medium Windows Messenger (MSN Messenger, .NET messenger) is run at system startup.
V-3348 Medium The user is allowed to launch Windows Messenger (MSN Messenger, .NET Messenger).
V-1118 Medium Event log sizes do not meet minimum requirements.
V-4448 Medium Group Policy objects are not reprocessed if they have not changed.
V-4447 Medium The Terminal Server does not require secure RPC communication (Terminal Server Role).
V-4446 Medium Software certificate restriction policies are not enforced.
V-14229 Medium Audit of Backup and Restore Privileges is not turned off.
V-14228 Medium Auditing Access of Global System Objects must be turned off.
V-3666 Medium The system is not configured to meet the minimum requirement for session security for NTLM SSP based Servers.
V-16020 Medium Windows Customer Experience Improvement Program is disabled.
V-1103 Medium User rights and advanced user rights settings do not meet minimum requirements.
V-1107 Medium Password uniqueness does not meet minimum requirements.
V-1105 Medium Minimum password age does not meet minimum requirements.
V-1104 Medium Maximum password age does not meet minimum requirements.
V-4444 Medium Users must enter a password to access private keys.
V-14239 Medium User Account Control - Elevate UIAccess applications that are in secure locations
V-14230 Medium Audit policy using subcategories is enabled.
V-14234 Medium User Account Control - Built In Admin Approval Mode
V-14235 Medium User Account Control must, at minimum, prompt administrators for consent.
V-14236 Medium User Account Control - Behavior of elevation prompt for standard users.
V-14237 Medium User Account Control - Detect Application Installations
V-3449 Medium Terminal Services is not configured to limit users to one remote session (Terminal Server Role)
V-1113 Medium The built-in guest account is not disabled.
V-26484 Medium The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
V-26485 Medium The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-15710 Medium Online Assistance – Untrusted Content
V-15711 Medium Search – Encrypted Files Indexing
V-15713 Medium Defender – SpyNet Reporting
V-15714 Medium The system must be configured to save Error Reporting events and messages to the system event log.
V-15715 Medium The system must be configured to generate error reports.
V-15717 Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
V-40237 Medium The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.
V-1075 Low The system allows shutdown from the logon dialog box.
V-1174 Low Amount of idle time required before suspending a session is improperly set.
V-1173 Low The default permissions of Global system objects are not increased.
V-15720 Low Windows Mail – Communities
V-16001 Low Terminal Services – Default Only Client Printer Redirection (Terminal Server Role).
V-16005 Low Terminal Services – Remove Disconnect Option from Shut Down dialog box (Terminal Server Role).
V-26359 Low The Windows dialog box title for the legal banner must be configured.
V-1165 Low The computer account password is prevented from being reset.
V-11806 Low The system is configured to allow the display of the last user name on the logon screen.
V-1158 Low The Recovery Console SET command is enabled.
V-1150 Low The built-in Microsoft password filter is not enabled.
V-1151 Low Print driver installation privilege is not restricted to administrators.
V-1090 Low Caching of logon credentials must be limited.
V-3373 Low The maximum age for machine account passwords is not set to requirements.
V-15686 Low Windows Installer – Vendor Signed Updates
V-15687 Low Media Player – First Use Dialog Boxes
V-15680 Low The classic logon screen must be required for user logons.
V-1136 Low Users must be forcibly disconnected when their logon hours expire.
V-15676 Low Order Prints Online
V-15675 Low Windows Registration Wizard
V-15673 Low Internet Connection Wizard ISP Downloads
V-15672 Low Event Viewer Events.asp links must be turned off.
V-15671 Low Root Certificates Update
V-1172 Low Users are not warned in advance that their passwords will expire.
V-4438 Low TCP data retransmissions are not controlled.
V-4111 Low The system is configured to redirect ICMP.
V-4110 Low The system is configured to allow IP source routing.
V-4108 Low The system must generate an audit event when the audit log reaches a percentage of full threshold.
V-45589 Low A group must be defined on domain systems to include all local administrator accounts.
V-4445 Low Optional Subsystems are permitted to operate on the system.
V-4112 Low The system is configured to detect and configure default gateway addresses.
V-4116 Low The system is configured to allow name-release attacks.
V-4442 Low This check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.
V-15703 Low Driver Install – Device Driver Search Prompt
V-4113 Low The system is configured for a greater keep-alive time than recommended.
V-15707 Low Remote Assistance – Session Logging
V-14232 Low IPSec Exemptions are limited.
V-15718 Low Windows Explorer – Heap Termination
V-15719 Low Users must be notified if the logon server was inaccessible and cached credentials were used.